Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package phpbb3
It fixes two security issues (marked as no-DSA), and an annoying PHP 5.6
incompatibility that throw big red warnings in the administration panel.
All those fixes are cherry-picked from upstream, as included in the
3.0.13-PL1 version uploaded to experimental (full debdiff attached):
phpbb3 (3.0.12-4) unstable; urgency=medium
* Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
(Closes: #776699)
* Improve PHP 5.6 compatibility: allow mbstring.http_{in,out}put to be set
as '' as well as 'pass' on install; do not display warning in ACP if so.
-- David Prévot <taffit@debian.org> Mon, 02 Feb 2015 20:35:46 -0400
unblock phpbb3/3.0.12-4
Please note that 3.0.13-PL1 fixes more PHP 5.6 compatibility issues, so
I’d be grateful if you were inclined to consider approving it into
Jessie. Also attached a diffstat (with translations excluded) to give
you an idea of the changes involved, I’ll follow up with a pre-approval
request with the actual debdiff if you wish.
Regards
David
diff -Nru phpbb3-3.0.12/debian/changelog phpbb3-3.0.12/debian/changelog
--- phpbb3-3.0.12/debian/changelog 2014-10-25 20:58:38.000000000 -0400
+++ phpbb3-3.0.12/debian/changelog 2015-02-02 20:38:36.000000000 -0400
@@ -1,3 +1,12 @@
+phpbb3 (3.0.12-4) unstable; urgency=medium
+
+ * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
+ (Closes: #776699)
+ * Improve PHP 5.6 compatibility: allow mbstring.http_{in,out}put to be set
+ as '' as well as 'pass' on install; do not display warning in ACP if so.
+
+ -- David Prévot <taffit@debian.org> Mon, 02 Feb 2015 20:35:46 -0400
+
phpbb3 (3.0.12-3) unstable; urgency=medium
* Adapt update_languages script to new scheme
diff -Nru phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch
--- phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch 1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/fix_CVE-2015-1431.patch 2015-02-01 22:01:05.000000000 -0400
@@ -0,0 +1,70 @@
+Description: Explicitly disallow trailing paths
+ CSRF potentially allowing an attacker to modify the private message
+ setting that determines how full folders are handled (i.e. whether to
+ delete the oldest message or hold the new message until further space
+ is available).
+ [CVE-2015-1432]
+Author: Marc Alexander <admin@m-a-styles.de>
+Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
+Bug: https://tracker.phpbb.com/browse/PHPBB3-13531, https://tracker.phpbb.com/browse/PHPBB3-13549
+Bug-Debian: https://bugs.debian.org/776699
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/4b9434bf1ba4c015da11309602cfccf1a9c2493c https://github.com/phpbb/phpbb/commit/e34b92882a51dc89da88464b8c751a9d93a03124 https://github.com/phpbb/phpbb/commit/74950559074d738733ac1258b07912f9ca14203a
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>, Nils Adermann <naderman@naderman.de>
+Last-Update: 2015-02-01
+--- a/includes/startup.php
++++ b/includes/startup.php
+@@ -113,6 +113,54 @@
+ unset($input);
+ }
+
++/**
++ * Check if requested page uses a trailing path
++ *
++ * @param string $phpEx PHP extension
++ *
++ * @return bool True if trailing path is used, false if not
++ */
++function phpbb_has_trailing_path($phpEx)
++{
++ // Check if path_info is being used
++ if (!empty($_SERVER['PATH_INFO']) || (!empty($_SERVER['ORIG_PATH_INFO']) && $_SERVER['SCRIPT_NAME'] != $_SERVER['ORIG_PATH_INFO']))
++ {
++ return true;
++ }
++
++ // Match any trailing path appended to a php script in the REQUEST_URI.
++ // It is assumed that only actual PHP scripts use names like foo.php. Due
++ // to this, any phpBB board inside a directory that has the php extension
++ // appended to its name will stop working, i.e. if the board is at
++ // example.com/phpBB/test.php/ or example.com/test.php/
++ if (preg_match('#^[^?]+\.' . preg_quote($phpEx, '#') . '/#', $_SERVER['REQUEST_URI']))
++ {
++ return true;
++ }
++
++ return false;
++}
++
++// Check if trailing path is used
++if (phpbb_has_trailing_path($phpEx))
++{
++ if (substr(strtolower(@php_sapi_name()), 0, 3) === 'cgi')
++ {
++ $prefix = 'Status:';
++ }
++ else if (!empty($_SERVER['SERVER_PROTOCOL']))
++ {
++ $prefix = $_SERVER['SERVER_PROTOCOL'];
++ }
++ else
++ {
++ $prefix = 'HTTP/1.0';
++ }
++ header("$prefix 404 Not Found", true, 404);
++ echo 'Trailing paths and PATH_INFO is not supported by phpBB 3.0';
++ exit;
++}
++
+ // Register globals and magic quotes have been dropped in PHP 5.4
+ if (version_compare(PHP_VERSION, '5.4.0-dev', '>='))
+ {
diff -Nru phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch
--- phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch 1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/fix_CVE-2015-1432.patch 2015-02-01 22:10:06.000000000 -0400
@@ -0,0 +1,27 @@
+Description: Correctly validate the ucp_pm_options form key
+ This allows an attacker to load arbitrary CSS in Internet Explorer by
+ crafting a URL with trailing paths after a PHP file (for example
+ /path/index.php/more/path). This is only possible if the webserver
+ configuration allows accessing PHP files in this manner.
+Author: Joas Schilling <nickvergessen@gmx.de>
+Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
+Bug: https://tracker.phpbb.com/browse/PHPBB3-13526
+Bug-Debian: https://bugs.debian.org/776699
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-02-01
+--- a/includes/ucp/ucp_pm_options.php
++++ b/includes/ucp/ucp_pm_options.php
+@@ -29,7 +29,11 @@
+ // Change "full folder" setting - what to do if folder is full
+ if (isset($_POST['fullfolder']))
+ {
+- check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url);
++ if (!check_form_key('ucp_pm_options'))
++ {
++ trigger_error('FORM_INVALID');
++ }
++
+ $full_action = request_var('full_action', 0);
+
+ $set_folder_id = 0;
diff -Nru phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch
--- phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch 1969-12-31 20:00:00.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/improve_php_5.6_compatibility.patch 2015-02-02 20:34:51.000000000 -0400
@@ -0,0 +1,45 @@
+Description: Handle mbstring.http_{in,out}put for PHP 5.6
+ Having mbstring.http_input set to '' is as good as 'pass'.
+ Fix mbstring warnings in ACP for PHP 5.6 compatibility.
+Author: Andreas Fischer <bantu@phpbb.com>, Oliver Schramm <oliver.schramm97@gmail.com>
+Origin: upstream
+Bug: https://tracker.phpbb.com/browse/PHPBB3-12468 https://tracker.phpbb.com/browse/PHPBB3-13168
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/370015c1a5f490a7fae85da268b81cb8d1748f50 https://github.com/phpbb/phpbb/commit/53f166274aaa55b98a1c671dbb5cbd403d879157
+Reviewed-by: Nils Adermann <naderman@naderman.de>
+Last-Update: 2015-02-02
+--- a/includes/acp/acp_main.php
++++ b/includes/acp/acp_main.php
+@@ -610,8 +610,8 @@
+ 'S_MBSTRING_LOADED' => true,
+ 'S_MBSTRING_FUNC_OVERLOAD_FAIL' => (intval(@ini_get('mbstring.func_overload')) & (MB_OVERLOAD_MAIL | MB_OVERLOAD_STRING)),
+ 'S_MBSTRING_ENCODING_TRANSLATION_FAIL' => (@ini_get('mbstring.encoding_translation') != 0),
+- 'S_MBSTRING_HTTP_INPUT_FAIL' => (@ini_get('mbstring.http_input') != 'pass'),
+- 'S_MBSTRING_HTTP_OUTPUT_FAIL' => (@ini_get('mbstring.http_output') != 'pass'),
++ 'S_MBSTRING_HTTP_INPUT_FAIL' => !in_array(@ini_get('mbstring.http_input'), array('pass', '')),
++ 'S_MBSTRING_HTTP_OUTPUT_FAIL' => !in_array(@ini_get('mbstring.http_output'), array('pass', '')),
+ ));
+ }
+
+--- a/install/install_install.php
++++ b/install/install_install.php
+@@ -273,8 +273,8 @@
+ $checks = array(
+ array('func_overload', '&', MB_OVERLOAD_MAIL|MB_OVERLOAD_STRING),
+ array('encoding_translation', '!=', 0),
+- array('http_input', '!=', 'pass'),
+- array('http_output', '!=', 'pass')
++ array('http_input', '!=', array('pass', '')),
++ array('http_output', '!=', array('pass', ''))
+ );
+
+ foreach ($checks as $mb_checks)
+@@ -295,7 +295,8 @@
+ break;
+
+ case '!=':
+- if ($ini_val != $mb_checks[2])
++ if (!is_array($mb_checks[2]) && $ini_val != $mb_checks[2] ||
++ is_array($mb_checks[2]) && !in_array($ini_val, $mb_checks[2]))
+ {
+ $result = '<strong style="color:red">' . $lang['NO'] . '</strong>';
+ $passed['mbstring'] = false;
diff -Nru phpbb3-3.0.12/debian/patches/series phpbb3-3.0.12/debian/patches/series
--- phpbb3-3.0.12/debian/patches/series 2014-04-11 17:25:58.000000000 -0400
+++ phpbb3-3.0.12/debian/patches/series 2015-02-02 20:27:08.000000000 -0400
@@ -5,3 +5,6 @@
031_fix_installer.patch
fix_chown.patch
privacy-breach-generic.patch
+fix_CVE-2015-1431.patch
+fix_CVE-2015-1432.patch
+improve_php_5.6_compatibility.patch
.htaccess | 56 + adm/style/acp_inactive.html | 2 adm/style/acp_update.html | 2 adm/style/acp_users_overview.html | 2 adm/style/admin.css | 10 adm/style/editor.js | 2 debian/changelog | 23 debian/copyright | 14 debian/database_update_debian.php | 2 debian/get-orig-source | 15 debian/patches/012_disable_version_check.patch | 6 debian/patches/021_multisite.patch | 8 debian/patches/022_multisite_installer.patch | 8 debian/patches/fix_CVE-2015-1431.patch | 70 - debian/patches/fix_CVE-2015-1432.patch | 27 debian/patches/improve_php_5.6_compatibility.patch | 45 - debian/patches/series | 3 debian/schema_data_debian.sql | 2 debian/update_languages | 1 debian/upstream/phpbb3.info | 6 debian/upstream/phpbb3_l10n-ar.info | 1 debian/upstream/phpbb3_l10n-be.info | 2 debian/upstream/phpbb3_l10n-bg.info | 1 debian/upstream/phpbb3_l10n-ca.info | 1 debian/upstream/phpbb3_l10n-cs.info | 1 debian/upstream/phpbb3_l10n-da.info | 1 debian/upstream/phpbb3_l10n-de-x-sie.info | 1 debian/upstream/phpbb3_l10n-de.info | 1 debian/upstream/phpbb3_l10n-el.info | 1 debian/upstream/phpbb3_l10n-en-us.info | 1 debian/upstream/phpbb3_l10n-en.info | 1 debian/upstream/phpbb3_l10n-es-ar.info | 1 debian/upstream/phpbb3_l10n-es-mx.info | 1 debian/upstream/phpbb3_l10n-es-x-tu.info | 1 debian/upstream/phpbb3_l10n-es.info | 1 debian/upstream/phpbb3_l10n-et.info | 5 debian/upstream/phpbb3_l10n-eu.info | 1 debian/upstream/phpbb3_l10n-fa.info | 1 debian/upstream/phpbb3_l10n-fi.info | 2 debian/upstream/phpbb3_l10n-fr.info | 1 debian/upstream/phpbb3_l10n-gd.info | 1 debian/upstream/phpbb3_l10n-gl.info | 1 debian/upstream/phpbb3_l10n-he.info | 1 debian/upstream/phpbb3_l10n-hr.info | 4 debian/upstream/phpbb3_l10n-hu.info | 1 debian/upstream/phpbb3_l10n-id.info | 1 debian/upstream/phpbb3_l10n-it.info | 1 debian/upstream/phpbb3_l10n-ja.info | 1 debian/upstream/phpbb3_l10n-ku.info | 1 debian/upstream/phpbb3_l10n-lt.info | 1 debian/upstream/phpbb3_l10n-mk.info | 1 debian/upstream/phpbb3_l10n-nl-x-formal.info | 5 debian/upstream/phpbb3_l10n-nl.info | 6 debian/upstream/phpbb3_l10n-pl.info | 1 debian/upstream/phpbb3_l10n-pt-br.info | 1 debian/upstream/phpbb3_l10n-pt.info | 1 debian/upstream/phpbb3_l10n-ro.info | 5 debian/upstream/phpbb3_l10n-ru.info | 5 debian/upstream/phpbb3_l10n-sk.info | 1 debian/upstream/phpbb3_l10n-sl.info | 1 debian/upstream/phpbb3_l10n-sr-latn.info | 1 debian/upstream/phpbb3_l10n-sr.info | 1 debian/upstream/phpbb3_l10n-sv.info | 1 debian/upstream/phpbb3_l10n-th.info | 1 debian/upstream/phpbb3_l10n-tr.info | 1 debian/upstream/phpbb3_l10n-tt.info | 1 debian/upstream/phpbb3_l10n-uk.info | 1 debian/upstream/phpbb3_l10n-ur.info | 1 debian/upstream/phpbb3_l10n-vi.info | 1 debian/upstream/phpbb3_l10n-zh-cmn-hans.info | 1 debian/upstream/phpbb3_l10n-zh_cmn_hant.info | 6 debian/watch | 2 docs/AUTHORS | 9 docs/CHANGELOG.html | 207 ++++- docs/INSTALL.html | 7 docs/README.html | 2 docs/coding-guidelines.html | 20 includes/acm/acm_memory.php | 16 includes/acp/acp_attachments.php | 2 includes/acp/acp_board.php | 2 includes/acp/acp_forums.php | 1 includes/acp/acp_main.php | 4 includes/acp/acp_php_info.php | 2 includes/acp/acp_update.php | 5 includes/acp/acp_users.php | 12 includes/auth/auth_ldap.php | 4 includes/bbcode.php | 9 includes/constants.php | 2 includes/db/db_tools.php | 152 ++- includes/functions.php | 8 includes/functions_admin.php | 16 includes/functions_content.php | 22 includes/functions_install.php | 2 includes/functions_module.php | 6 includes/functions_posting.php | 4 includes/functions_privmsgs.php | 2 includes/functions_profile_fields.php | 2 includes/functions_upload.php | 31 includes/functions_user.php | 28 includes/mcp/info/mcp_pm_reports.php | 2 includes/mcp/mcp_pm_reports.php | 1 includes/mcp/mcp_post.php | 1 includes/mcp/mcp_queue.php | 6 includes/mcp/mcp_reports.php | 1 includes/search/fulltext_native.php | 41 - includes/session.php | 22 includes/startup.php | 76 + includes/ucp/ucp_pm_options.php | 6 includes/ucp/ucp_profile.php | 3 includes/ucp/ucp_remind.php | 2 install/convertors/convert_phpbb20.php | 2 install/database_update.php | 24 install/index.php | 3 install/install_convert.php | 2 install/install_install.php | 50 + install/schemas/mssql_schema.sql | 605 +++++++-------- install/schemas/schema_data.sql | 4 language/en/acp/ban.php | 4 language/en/acp/board.php | 4 language/en/acp/common.php | 2 language/en/acp/email.php | 2 language/en/acp/users.php | 1 language/en/common.php | 8 language/en/email/forum_notify.txt | 2 language/en/email/newtopic_notify.txt | 2 language/en/email/topic_notify.txt | 3 language/en/memberlist.php | 1 language/en/posting.php | 3 language/en/ucp.php | 2 search.php | 15 styles/prosilver/imageset/imageset.cfg | 2 styles/prosilver/style.cfg | 2 styles/prosilver/template/editor.js | 2 styles/prosilver/template/forum_fn.js | 2 styles/prosilver/template/forumlist_body.html | 2 styles/prosilver/template/mcp_post.html | 4 styles/prosilver/template/overall_footer.html | 2 styles/prosilver/template/posting_smilies.html | 4 styles/prosilver/template/template.cfg | 2 styles/prosilver/template/ucp_groups_manage.html | 2 styles/prosilver/template/ucp_pm_viewmessage_print.html | 2 styles/prosilver/template/ucp_profile_profile_info.html | 6 styles/prosilver/template/ucp_profile_reg_details.html | 3 styles/prosilver/template/viewtopic_print.html | 2 styles/prosilver/theme/colours.css | 32 styles/prosilver/theme/forms.css | 10 styles/prosilver/theme/theme.cfg | 2 styles/subsilver2/imageset/imageset.cfg | 2 styles/subsilver2/style.cfg | 4 styles/subsilver2/template/editor.js | 2 styles/subsilver2/template/mcp_post.html | 2 styles/subsilver2/template/memberlist_view.html | 2 styles/subsilver2/template/overall_header.html | 2 styles/subsilver2/template/posting_smilies.html | 4 styles/subsilver2/template/template.cfg | 2 styles/subsilver2/template/ucp_header.html | 4 styles/subsilver2/template/ucp_pm_history.html | 2 styles/subsilver2/template/ucp_pm_viewmessage_print.html | 1 styles/subsilver2/template/ucp_profile_reg_details.html | 3 styles/subsilver2/template/ucp_profile_signature.html | 43 - styles/subsilver2/template/viewtopic_print.html | 1 styles/subsilver2/theme/stylesheet.css | 17 styles/subsilver2/theme/theme.cfg | 2 viewtopic.php | 24 164 files changed, 1257 insertions(+), 806 deletions(-)
Attachment:
signature.asc
Description: Digital signature